RBI Cracks Down on AePS Fraud

RBI Fortifies Aadhaar Payments: New Rules to Combat AePS Fraud from Jan 2026

Have you ever used your Aadhaar and fingerprint to withdraw cash from a local kirana store or a business correspondent?

The convenience of the Aadhaar Enabled Payment System (AePS) has been a game-changer for financial inclusion, especially in rural areas.

However, with great convenience comes great opportunity for the fraudsters. The Reserve Bank of India (RBI) has taken a significant step to address this issue, issuing new guidelines to make AePS transactions much safer.

AePS Volumes (Source: NPCI)

The Gist of the Circular

• Dated June 27, 2025, the RBI's circular, "Due Diligence of Aadhaar Enabled Payment System (AePS) Touchpoint Operators" is a direct response to increasing reports of fraud involving identity theft and compromised customer credentials within the AePS ecosystem.

• Essentially, the RBI wants to enhance the trust and security of AePS, which is operated by the National Payments Corporation of India (NPCI) and facilitates interoperable transactions using Aadhaar authentication.

• Why the concern: The RBI's circular explicitly states that "there have been reports of frauds perpetrated through AePS due to identity theft or compromise of customer credentials.

Illustrative AePS Fraud Scenarios

• Cloning of Fingerprints/Biometric Data: Imagine a fingerprint, used for a legitimate transaction, being secretly copied.

  Fraudsters can then create a "clone" of your biometric data, which is subsequently used to authorize unauthorized AePS transactions, draining money from your account without your direct knowledge. This is a direct form of identity theft.

• Collusion by Malicious Operators/Insider Fraud: In some alarming cases, unscrupulous AePS touchpoint operators (ATOs) might collude with fraudsters.

  • They could deliberately misuse a customer's Aadhaar and biometric data after a legitimate transaction, or even exploit details of dormant accounts.

  • An operator with direct access to the AePS system could exploit this access for fraudulent withdrawals or transfers.

• Exploiting Vulnerabilities at Unverified Touchpoints: Before these new guidelines, there have been instances of less rigorously vetted or even unauthorized AePS touchpoints being set up.

  • Fraudsters could leverage these less secure environments to capture biometric data or trick users into approving transactions without their full awareness.

Key Takeaways from the RBI's Directive

• Focus on Operators: The circular primarily targets 'AePS Touchpoint Operators' (ATOs) – these are the individuals onboarded by banks who operate the terminals (mobile or fixed) where AePS transactions are conducted.

• Mandatory Due Diligence: Acquiring banks (the banks that onboard these operators) must now carry out due diligence of all ATOs before onboarding them, adopting the same KYC process as for individual customers. If due diligence was already done for them as Business Correspondents, that can be adopted.

• Periodic KYC Updates: Banks are also required to carry out periodic updates of the KYC of the operators.

• Inactive Operator Review: If an ATO has not performed any financial or non-financial transaction for a customer for a continuous period of three months, the acquiring bank shall carry out KYC of the ATO before enabling them to transact further.

• Enhanced Risk Management: Acquiring banks must continuously monitor the activities of ATOs through their transaction monitoring systems.

  • Operational parameters, based on the ATOs' business risk profile, including aspects like location, type of ATO, and volume and velocity of transactions, shall be part of the bank's fraud risk management framework. These parameters will be reviewed periodically to reflect emerging fraud trends.

• System Controls: Banks must put in place adequate system^-level controls to ensure that any technological integrations like APIs are used only for enabling AePS operations¹¹.

• Effective Date: These new directions come into effect from January 01, 2026.

How Does This Impact Different Stakeholders?

• For the Customer: This is great news for your financial security The stricter due diligence and monitoring of AePS operators mean reduced risk of identity theft and fraud when you use your Aadhaar for payments. It builds greater trust in a system that's vital for financial inclusion.

  • The customer needs to ensure that they are interacting with a legitimate operator and that their biometric details are captured securely. Any suspicious activity needs to be reported to the bank immediately.

• For Banks and Financial Institutions (Acquiring Banks): This circular places a significant responsibility on acquiring banks. They will need to:

  • Strengthen Onboarding Processes: Implement robust KYC procedures for all new and existing AePS operators.

  • Upgrade Monitoring Systems: Enhance their transaction monitoring systems to identify suspicious activities of ATOs more effectively.

  • Review Risk Frameworks: Update their fraud risk management frameworks to incorporate the new parameters set by the RBI.

  • Ensure Compliance: Get ready to comply with these new directives well before January 1, 2026.

• For ATOs: An AePS operator would be subject to more rigorous background checks and continuous monitoring by the acquiring bank. This is a necessary step to weed out fraudulent elements and ensure the integrity of the payments system.

Fintrails Analysis

The RBI's move highlights a proactive approach to evolving digital payment risks. As AePS has become ubiquitous, especially in rural and semi-urban areas, protecting vulnerable users from identity-related fraud is paramount.

The focus on 'due diligence' and 'risk management' for the 'last mile' operators – the AePS Touchpoint Operators – is a crucial and logical step. Fraudsters often exploit weaknesses at the point of interaction, and by tightening controls here, the RBI aims to plug a significant loophole.

This circular underscores the importance of continuous vigilance in the digital payments landscape. While the convenience of biometric authentication is undeniable, it also presents unique challenges if the touchpoints are compromised.

The ongoing review of operational parameters, as mandated by the RBI, suggests an adaptive regulatory stance to emerging fraud trends.

Scenarios for Enhanced Risk Monitoring

To fulfill the enhanced risk management directive, banks will monitor the activities of the ATOs. To facilitate a scenario based monitoring, these can be logically grouped as follows:

• Transactional Behavior Monitoring:

  • Volume of Transactions: Tracking the number of financial and non-financial transactions processed over specific periods (daily, weekly, monthly) by an ATO, looking for unusual spikes or drops that deviate from historical patterns.

  • Velocity of Transactions: Analyzing the speed at which transactions occur, especially multiple rapid transactions for the same customer or different customers in a very short span, and unusual timings (e.g., late-night or early-morning activity).

  • Value of Transactions: Monitoring average transaction values, high-value transactions, or patterns of numerous small-value transactions that might indicate money laundering or testing compromised credentials.

  • Customer Patterns: Observing repeat customer usage, frequency of transactions by the same customer, or high rates of failed biometric authentications, which could indicate issues with the ATO's device or attempts at fraud.

• Operational & Geographic Monitoring:

  • Location of ATO: Monitoring the usual operating location of an ATO and flagging significant deviations or frequent changes without prior notification. Banks will also identify if an ATO operates in areas known for higher fraud incidence.

  • Type of ATO/Business Profile: Understanding the nature of the operator's business (e.g., small shop, dedicated business correspondent) to set expected transaction patterns and assess inherent risk.

  • API Usage & System Controls: Ensuring that all technological integrations and API usage by the ATO are strictly for legitimate AePS operations, and immediately flagging any attempts to misuse APIs.

• Fraud Incident Tracking:

  • Chargebacks/Disputes: Tracking the number of customer disputes or chargebacks directly linked to transactions processed by a specific ATO.

  • Fraud Reports: Any direct reports or alerts from customers or internal systems about suspicious or fraudulent activities originating from an ATO.

Conclusion

The RBI's latest circular is a clear signal: safeguarding digital transactions is a top priority.

By strengthening the due diligence and risk management around AePS touchpoint operators, India's central bank is taking decisive action to secure one of the most vital arteries of financial inclusion.

While implementation might pose initial operational challenges for banks, especially in managing the KYC of a large number of operators, the long-term benefits in terms of enhanced security and increased public trust in AePS will far outweigh these.

It's a necessary step towards a more resilient digital payments infrastructure in India.

This move will not only protect customers but also reinforce the foundation of trust in our rapidly evolving digital payment ecosystem.